On December 20th, 2020, Organisation for Economic Cooperation and Development (OECD) nations discreetly began an extraordinary effort to develop standard guidelines for accessing private sector personal data for national security and law enforcement reasons. On the basis of the assumption that these democratic governments, despite legal differences, share many commonalities in this area, and that articulating them can help restore trust in data flows between countries and highlight their differences from authoritarian regimes that engage in indiscriminate access to individuals’ data, the project is being undertaken.
The guidelines stem from the principle that there is a danger that disparities in national legislation could hamper the free flow of personal data across frontiers. These flows have greatly increased in recent years and are bound to grow further with the widespread introduction of new computer and communications technology. Restrictions on these flows could cause serious disruption in important sectors of the economy, such as banking and insurance.
BACKGROUND ON ORGANISATION FOR ECONOMIC COOPERATION AND DEVELOPMENT
The OECD’s effort to establish standard restrictions on government access has been marked by conflicts and delays. The OECD has just begun work on the project after an impasse that halted development in the second half of 2021.
In today’s digital age, governments have access to a great deal of personal information. Even more, data is kept by private organizations, ranging from cloud service providers to other businesses that use local computers to store their data. Public health activities in response to the coronavirus and financial market regulation may benefit from private sector personal data. National security and law enforcement are two of the most essential uses for government access to data.
Since Edward Snowden’s 2013 disclosures concerning the extent and scale of U.S. signals intelligence gathering, there has been heightened international scrutiny of U.S. intelligence services’ access to privately owned data. The Schrems judgments of the Court of Justice of the European Union (CJEU) in 2015 and 2020, which suspended data transfers under the EU-US Safe Harbor framework and subsequently the Privacy Shield, have kept the issue in the limelight. International surveillance laws in the United States do not provide safeguards equal to those necessary by European law, according to the CJEU. Since then, Europeans’ attention to the NSA’s actions has expanded to include a comparison of the monitoring regimes of other Western democracies’ counterparts.
WHAT IS THE PRIVACY SHIELD
Personal data transfers between the European Union and the United States for commercial reasons were regulated under the EU–US Privacy Shield. For one thing, it made it easier for US corporations to obtain personal data from EU organizations in compliance with European Union data protection regulations. The EU–US Privacy Shield superseded the International Safe Harbor Privacy Principles, which were ruled unconstitutional by the European Court of Justice in October 2015. On July 16, 2020, the European Court of Justice (ECJ) ruled that the EU–US Privacy Shield was illegal.
Privacy organizations have taken legal action against the Privacy Shield. There were initial doubts about whether the instances would be acceptable. Despite this, the Privacy Shield’s future was in doubt by February 2017.
It was in December 2019 that the Court of Justice of Europe (CJEU) delivered a preliminary opinion in the Data Protection Commissioner (DPC) v. Facebook Ireland case(also known as Schrems II). The clash in regimes might lead to a number of different outcomes. The author stated that the ruling ‘should generate equal measures of relief and alarm for the U.S. government and for companies dependent on data transfers.
In Schrems II, a final CJEU ruling was issued on July 16, 2020. The European Court of Justice ruled that the EU-US Privacy Shield for data exchange did not adequately safeguard EU people from government surveillance. ‘Transfers on the basis of this legal framework are unlawful,’ the European Data Protection Board (EDPB), an EU agency whose rulings are obligatory for national privacy supervisory agencies, said.
The European Court of Justice has ruled that ‘standard contractual terms’ may still be used to facilitate data transfers between the EU and other nations (SCCs). When it comes to nations with laws that are fundamentally incompatible with the EU Charter of Fundamental Rights and the GDPR, SCCs may not be able to safeguard data.
WHAT IS THE CLOUD ACT
Because of amendments made to the Stored Communications Act (SCA) by the CLOUD Act, law enforcement agencies in the United States now have the ability to compel technology companies with U.S. headquarters to turn over information held in server farms located anywhere, even if the servers are located outside the country.
CLOUD Act was established as the FBI had difficulty getting remote data via service providers using SCA warrants since the SCA was designed before cloud computing became a viable technology. For instance, an inquiry by the FBI into drug trafficking in 2013 led to an SCA warrant for emails kept on a Microsoft server in Ireland, which Microsoft refused to deliver. In Microsoft Corp. v. United States, the Supreme Court heard a case involving a legal dispute. Despite the FBI’s assertion that Microsoft had complete control of the data, Microsoft asserted that the SCA did not apply to data held outside the United States. For cross-border law enforcement purposes, the FBI might propose a mutual legal assistance treaty (MLAT), but obtaining one or having one processed via an already-in-place treaty would take time and hinder enforcement activities.
SO, WHAT DOES THIS MEAN
CLOUD Act and EU E-evidence regulations now exist as new legislation and plans that allow for international access to cloud services. Both coerced (or forced) access and direct access may be conducted by governments and corporations. There is a difference between a law enforcement agency’s demand for access and an intelligence agency’s use of administrative authority in democratic nations. The non-democratic nations, on the other hand, may resort to pressure and penalties.
PREDECESSORS TO THE OECD PRINCIPLES
Because of its extensive experience in economic law and in the privacy issues surrounding private sector data, the OECD jumped at the chance to take on the G-20 proposal. For decades, governments and businesses have relied on its 1980 Privacy Guidelines, which were last amended in 2013, as a method of preserving confidence in data transfers. Additionally, the OECD has already dealt with international business law enforcement by drafting and implementing the 1999 Convention on Combating Bribery of Foreign Public Officials in International Business Transactions.
OECD’s Committee on Digital Economic Policy (CDEP) made the topic a priority in December 2020 and provided terms of reference for an informal working group of members to explore in December 2020. As a possible consequence of the project, the committee considered creating an official non-binding OECD legal instrument.
DRAFT COMPELLED ACCESS PRINCIPLES
To begin with, the drafting committee came up with an initial set of promises that could be applied to any way of government accessing private-sector data. Proportionality, openness, and the presence of procedures for supervision and redress were all mentioned as essential components of this data protection framework. Although it did not specify how these safeguards would be implemented, each country’s legislative structure and pertinent circumstances would dictate how these safeguards would be implemented in their respective countries.
The national legislative framework lays forth legitimate goals for law enforcement and national security access, ensures that the breadth of data collection and usage is compatible with the declared purpose, and records incidents of access for later oversight and remedy reasons. The word ‘proportionality’ is used in EU data protection legislation, but not in other OECD member nations’ legal systems.
This concept recognizes that nations have set legal standards for government access requests that are proportionate with the level of individual rights intrusion. In certain situations, a government’s executive branch is not required to approve a request for access, but rather an independent judicial or administrative authority, depending on the severity of the interference.
HOW THE CONVENTION WAS DRAFTED
In order to protect the integrity and security of personal information gained by compelled access, the data is only maintained for as long as it is legally permitted, and if it is no longer permitted, it is erased. In addition, the handling rules are meant to allow oversight authorities to assess the gathering and use of data in the future.
Government access law frameworks may not be as transparent as those in the private sector, according to the transparency principle. ‘To the maximum degree practical,’ obliged access regimes are open and accessible to the public. Classified material may be withheld from the public for a length of time while people have the right to request that their personal data be released.
Compliance monitoring acknowledges the presence of ‘a a variety’ of procedures for monitoring required to access, assuring reporting, and correcting non-compliance. An independent inquiry or audit may be conducted and documented via frequent reports by oversight bodies.
This kind of remedy is carried out by independent agencies such as courts and other neutral institutions that are not directly involved in the case at hand. These institutions may demand that data be corrected or deleted, or that damages be compensated. Obligated access information may be utilized in a criminal prosecution if it is subsequently accessed and challenged by the accused. Due to a ‘legitimate government necessity to preserve the lives and integrity of national people, or national security or law enforcement information and investigations,’ this notification right may be reduced or postponed
There were disagreements within the Organization for Economic Co-operation and Development about the continuing US and European Union negotiations to fix aspects of the Privacy Shield system. In its 2020 Schrems II ruling, the CJEU held that the US foreign surveillance system did not fulfill the criteria of the EU Charter of Fundamental Rights in terms of remedy and proportionality. It had taken into account not just the legally required access requests of U.S. national security services under the Foreign Intelligence Surveillance Act (FISA), but also the covert access restrictions of Executive Order 12333, a different legal authority. Because an OECD accord was restricted in scope to obligatory access, it may have been interpreted as minimizing the necessity of a trans-Atlantic agreement on direct access under Executive Order 12333.
The principles center around [A.] Collection Limitation [B.]Data Quality; [C.] Purpose Specification, [D.] Use Limitation; [E.] Security Safeguards; [F.] Openness; [G.] Individual Participation and [H.] Accountability
The principles lay down the standard for the collection of data that may possibly infringe upon the rights of private individuals. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. Additionally, personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date.
The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified in accordance with Paragraph 9 except [A.] with the consent of the data subject; or [B.] by the authority of law.
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data. There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available for establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
Individual Participation Principle
An individual should have the right: [A.] to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; [B.] to have communicated to him, data relating to him within a reasonable time; [C.] to be given reasons if a request made) is denied, and to be able to challenge such denial; and [D.] to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed, or amended.
A data controller should be accountable for complying with measures that give effect to the principles stated.
ALTERNATIVES TO THE OECD PRINCIPLES
The OECD is not the only global fora addressing the problem of government access to private-sector data now that it has resumed its work.
In October, the Global Privacy Assembly (GPA), a group of national data protection agencies from across the world, approved a resolution recommending guidelines for government access to private sector personal data. While the OECD draft was created by governments’ delegations that included both privacy and security service officials, this resolution was written primarily by privacy regulators. According to the resolution, governments should establish the need and proportionality of data requests by monitoring agencies. In contrast to the OECD concept, the GPA principle asks for regulatory constraints on secondary uses or onward transfers of gathered data. While the GPA’s decision seems to favor court approval before overseas monitoring may be enacted, an independent body, administrative or judicial in character, would be preferable.
The Council of Europe (COE), situated in Strasbourg, has also taken beginning moves toward addressing this issue. Multilateral agreements on both data protection and law enforcement have already been created by the COE (the Budapest Convention, with its newly issued Second Additional Protocol). United States has joined the Budapest Convention but has not acceded to the COE data protection instruments as an observer state
An OECD policy statement on government access to data for law enforcement and national security reasons may have a significant normative impact. They may assist in identifying and promoting best practices across member states’ domains. There is a possibility for them to convey the consensus view of established democratic governments and help to the advancement of national and international law.
The recommendations, thus, are fourfold. The guidelines recommend that [A.] Member countries take into account in their domestic legislation the principles concerning the protection of privacy and individual liberties set forth in the Guidelines; [B.] Member countries endeavor to remove or avoid creating, in the name of privacy protection, unjustified obstacles to transborder flows of personal data; [C.] Member countries co-operate in the implementation of the Guidelines set forth in the Annex; and [D.] Member countries agree as soon as possible on specific procedures of consultation and co-operation for the application of these Guidelines.
The OECD has a long history of successfully addressing challenging issues related to national sovereignty. A tax initiative aimed at combating multinational corporations’ base erosion and profit shifting (BEPS) is an example of this. With the OECD/G20 Inclusive Framework on BEPS, one hundred and forty nations and jurisdictions have agreed to follow a fifteen-point strategy to combat tax evasion. Additionally, the OECD helped multiple nations and jurisdictions reach a ground-breaking minimum corporate tax agreement to meet the tax problems posed by the digitization of the industry.
The OECD’s efforts on international bribery and taxes were as difficult as negotiating the laws allowing government access to data for national security and law enforcement reasons. An organization with a multi-stakeholder culture in an area where the private sector and civil society have much to say, such as global warming, is more likely to succeed. It’s a great time for democracies to demonstrate how their shared commitment to the rule of law and human rights applies in an era when the possibility for electronic monitoring of people has grown enormously. They could send a powerful statement to the rest of the world after they agreed on how to sequence work combining obligatory access principles and direct access modalities.
for assistance serving legal papers
Simply pick up the phone and call Toll Free (800) 774-6922 or click the service you want to purchase. Our dedicated team of professionals is ready to assist you. We can handle all of your process service needs; no job is too small or too large!
Contact us for more information about our process serving agency. We are ready to provide service of process to all of our clients globally from our offices in New York, Brooklyn, Queens, Long Island, Westchester, New Jersey, Connecticut, and Washington D.C
“Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction, and skillful execution; it represents the wise choice of many alternatives” – Foster, William A
1. ‘Government Access to Personal Data Held by the Private Sector: Statement by the OECD Committee on Digital Economy Policy.’ OECD, https://www.oecd.org/digital/trusted-government-access-personal-data-private-sector.htm.
2. MacAskill, Ewen, et al. ‘NSA Files Decoded: Edward Snowden’s Surveillance Revelations Explained.’ The Guardian, Guardian News and Media, 1 Nov. 2013, https://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded.
3. Schrems judgments
4. Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) is a United States federal law enacted in 2018 by the passing of the Consolidated Appropriations Act, 2018, PL 115-141, Division.
5. United States v. Microsoft Corp., 584 U.S. ___, 138 S. Ct. 1186 (2018)
6. ‘Government activities that fail to retain confidence, notably via uncontrolled, unjustified, or excessive demand by governments that force access to personal data held by the private sector,’ the committee declared in a statement. ‘The lack of universal norms for trustworthy government access to personal data may lead to unwarranted limits on data flows resulting in severe economic repercussions,’ the report said. ‘
7. Foreign Intelligence Surveillance Act of 1978 (‘FISA’ Pub.L. 95–511, 92 Stat. 1783, 50 U.S.C. ch. 36)
8. The earlier guidelines provide these principles
9. Collection limitation
10. Data quality
11. Purpose specification
12. Security Safeguards Principle
14. At a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him
15. Accountability Principle